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Today,  safety  is  considered  to  be  of  highest  importance  in  most  societies.  In  the  context  of  the  military,  safety  is 
essential  to  averting  loss  of  life  and  damage  to  a high-value  asset.  While  safety  may  take  second  place  to  winning  a war, 
its  importance  is  further  accentuated  because  of  its  connotation  to  battlefield  readiness.  There  have  been  numerous 
instances  to  illustrate  this  last  point.  To  wit: 

Widespread  Fatigue  Damage  (WFD)  was  discovered  in  "weep  holes"  of  fuel  tanks  of  some  C-141  military 
transport  airplanes.  Because  of  the  loss  of  minimum  residual  strength,  with  the  attendant  risk  of  catastrophic  fracture 
posed  by  WFD,  the  entire  fleet  had  to  be  grounded  and  an  expensive  refurbishment  program  had  to  be  undertaken  before 
the  fleet  was  deemed  to  be  airworthy.  In  this  instance,  the  unsafe  condition  was  detected  and  corrected  quickly,  so  no 
lives  were  lost  nor  did  any  of  the  airplanes  in  the  fleet  suffer  catastrophic  damage.  However,  the  grounded  aircraft  were 
certainly  not  battle-ready  for  a certain  length  of  time.  Had  they  been  sent  into  battle,  they  would  have  had  to  be  operated 
under  severe  flight  restrictions  and,  thus,  their  utility  to  serve  the  purpose  of  the  deployed  forces  would  have  been  very 
restricted.  Had  they  been  deployed  without  any  restrictions,  in  all  probability  they  would  have  been  unable  to  complete 
their  missions  and  the  Air  Force  could  have  lost  valuable  aircraft  assets.  Also,  the  necessary  logistic  support  to  properly 
carry  out  tactical  operations  in  the  battlefield  would  not  have  been  available. 

WFD  was  the  primary  cause  of  a highly  publicized  air  accident  involving  a commercial  aircraft.  The  wide 
publicity  given  to  that  single  accident,  abetted  by  on-site  video  tape  recording  of  the  condition  of  the  aircraft  after  it  had 
landed,  shook  the  confidence  of  the  public  in  the  safety  of  commercial  aviation.  As  a result,  inspection  and  refurbishment 
of  3000  jet  transport  airplanes  among  a fleet  of  about  5000  was  mandated  by  the  authorities,  to  be  undertaken  on  an 
urgent  basis.  The  economic  impact  of  this  mandate  on  the  airlines,  the  aircraft  manufacturer  and  the  flying  public  was 
high  and  resulted  in  numerous  complaints  to  the  regulatory  authorities.  It  must  be  noted  that  since  that  time  more  than 
twelve  years  have  elapsed  without  a single  accident  attributable  to  WFD. 

These  instances  explain  my  motivation  for  including  the  subject  of  safety  during  this  Lecture  Series.  However, 
the  subject  is  extensive  and  so  many  books  have  appeared  that  address  some  aspect  or  the  other  that  my  remarks  are 
meant  to  complement  the  existing  literature.  Much  of  what  I intend  to  share  with  you  today  is  not  something  I have 
developed  on  my  own,  rather  it  has  been  influenced  by  my  comrades  and  peers  when  I was  in  the  civil  aviation 
community. 

Scope  of  the  Lecture  - Analysis  and  Data  Requirements  for  Assessment  of  Operational  Safety: 

An  aircraft  is  an  assemblage  of  complex  and  highly  integrated  sub-systems  - the  structure,  the  power-plant,  the 
electrical,  the  mechanical,  and  hydraulic  systems,  the  avionics  suite,  the  human-in-the-loop  to  name  a few.  To  eliminate 
the  risk  of  the  sub-systems  to  fail,  individually  or  in  concert,  safety  analyses  are  routinely  performed  by  aircraft 
manufacturers.  The  manufacturer  also  conducts  analyses  to  ascertain  the  consequence  of  a failed  part  to  assure  that  it 
does  not  in  any  way  threaten  the  safety  of  the  entire  system. 

Before  an  aircraft  model  enters  service,  whether  for  military  or  civil  use,  the  design  has  to  satisfy  a rigorous  set 
of  requirements,  which  are  governed  by  regulations.  These  requirements  include  an  analysis  of  the  probability  of  failure 
of  each  component  and  the  hazard  caused  by  the  failure.  This  subject,  termed  as  "Systemic  Safety  [1],"  will  be  beyond 
the  scope  of  this  lecture.  Rather,  the  remarks  will  concentrate  on  the  operational  phase  of  the  aircraft's  life.  That  is  the 
phase  subsequent  to  the  aircraft  put  into  operational  use  for  the  first  time. 

However,  keep  in  mind  that  before  the  aircraft  enters  the  fleet,  there  are  numerous  design  reviews,  ground  and 
flight  tests,  and  production  approvals  that  are  required  to  assure  that  the  aircraft  is  safe  and  able  to  perform  as  intended  in 
the  operating  environment.  At  times,  the  origin  of  problems  that  are  encountered  in  service  may  be  inherent  in  the  design 
or  the  manufacturing  stage  or  due  to  construction  methods.  For  instance,  an  element  in  the  chain  that  led  to  the  failure  of 
the  commercial  aircraft  mentioned  earlier  was  a failed  bond.  The  failed  bond  resulted  from  an  inadequate  bonding 
process.  It  created  stress  risers  at  the  rivets,  which  were  designed  to  merely  serve  as  secondary  conduits  for  transferring 
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load.  The  resulting  fatigue  cracks  were  aggravated  by  loss  of  material  due  to  corrosion,  resulting  in  intrusion  of  moisture 
from  condensation  and  precipitation.  Such  problems  that  are  encountered  in  service  must  be  quickly  corrected  in  order  to 
prevent  accidents  and  to  maintain  battle-readiness  of  the  fleet.  An  essential  requirement  for  quick  resolution  of  these  type 
of  problems  is  a technical  team  that  is  familiar  with  not  only  the  design  features  of  the  aircraft  model  and  any  subsequent 
modifications  that  had  been  effected  previously  but  also  the  original  design  philosophy  that  guided  the  design.  Often,  it  is 
beneficial  to  retain  some  members  of  the  original  design  team  to  serve  in  the  maintenance  group  in  order  to  maintain  the 
necessary  know-how. 

Measurement  of  Safety 

In  order  to  assess  safety  of  a system  after  it  enters  service  one  must  define  safety  and  establish  a set  of  metrics 
(measurement  standards)  for  safety.  A metric  may  be  the  number  of  failures  per  one  thousand  operations,  or  it  may  be  an 
incident  rate  or  an  accident  rate.  Such  gross  metrics  are  normally  refined  by  dividing  the  accidents  into  categories  by 
causal  relationships.  Furthermore,  metrics  are  often  normalized  in  terms  of  usage.  In  any  event,  the  establishment  of 
safety  metrics  has  been  subjective,  to  say  the  least,  and  a bit  disorganized  from  the  standpoint  of  relating  the  accident 
cause,  the  events  leading  up  to  the  accident,  and  the  design  fix.  The  problem  is  best  illustrated  through  Figure  1,  and  2. 
Both  figures  have  been  extracted  from  publicly  released  Boeing  Airplane  Company  documents  [2,  3].  They  depict  the 
relative  risk  of  an  accident  as  a function  of  the  phase  of  flight,  based  on  historical  data.  Clearly,  if  miles  flown  is  chosen 
as  the  normalizing  factor  for  a safety  metric,  the  metric  chosen  ignores  the  fact  that  risks  between  destinations  involving 
multiple  flight  legs  and  the  risk  involved  for  a single  leg,  for  the  same  distance  traveled,  are  unequal  - hence,  the  metric 
would  be  inappropriate.  Similarly,  in  the  assessment  of  military  aircraft,  the  hours  of  operation  is  usually  chosen  as  the 
normalizing  factor  but  such  a choice  ignores  the  fact  that  the  mission  profiles  could  be  vastly  different,  even  for  the  same 
aircraft  model  but  used  in  different  squadrons.  Thus,  the  establishment  of  multiple  metrics  for  risk  using  the  same 
database  increases  the  opportunity  for  establishing  a correlation  between  data  and  risk,  thereby  making  the  safety 
management  system  more  robust. 


Figure  1. 
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Figure  2. 
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Accidents  and  the  Role  of  Precursors: 

It  is  generally  agreed  that  there  exist  certain  precursors  to  each  accident  and  incident.  If  one  of  these  precursors 
is  not  recognized  and  the  underlying  condition  that  has  caused  it  is  not  corrected  in  time,  then  it  can  graduate  into  an 
incident  or  even  an  accident.  Aircraft  are  highly  engineered  systems,  endowed  with  redundancies  and  fail-safe  features. 
They  are  "noisy"  systems.  That  is,  they  can  give  so  many  indications,  of  which  only  a few  are  precursors,  that  one  can 
easily  be  lulled  into  complacency.  Fail  safety  embraces  two  concepts.  One  is  the  concept  that  the  first  failure  does  not 
impair  functionality  of  the  system.  The  second  is  that  the  first  failure  must  be  obvious  to  the  extent  that  it  will,  in  all 
likelihood,  be  detected  well  before  the  onset  of  subsequent  failures,  which  may  endanger  the  safety  of  the  system.  Thus, 
the  first  occurrence  of  a service  difficulty  associated  with  a sub-system  in  an  aircraft  is  a prospective  precursor  of 
progressive  failures  that  could  result  in  an  incident  or  accident.  Furthermore,  multiple  occurrences  of  service  difficulties, 
especially  after  corrective  actions  have  been  attempted,  are  indicators  that  the  risk  of  an  incident  or  accident  is  rising.  To 
take  full  advantage  of  being  given  such  warnings,  the  organization  responsible  for  safe  operation  of  the  aircraft  must 
systematically  collect  reports  of  service  difficulties.  Just  as  importantly,  this  same  organization  must  systematically  and 
expeditiously  analyze  the  reports  being  collected  to  establish  their  root  cause  of  the  difficulty  or  difficulties  and  its 
potential  for  a resulting  accident  or  incident.  The  analysis  must  be  accomplished  early  in  order  to  allow  sufficient  lead- 
time  for  corrective  action  to  be  taken.  Even  with  a service  difficulty  collection  and  analysis  system  in  place,  the 
organization  will  be  unable  to  use  it  to  reduce  or  eliminate  incidents  and  accidents  unless  higher  management  in  the 
organization  recognizes  their  value  and  directs  development  and  implementation  of  corrective  action.  Clearly,  improved 
safety  will  result  if  attention  is  more  focused  on  precursors. 
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Detection  of  Service  Difficulty 

A Service  Difficulty  is  symptomatically  manifested  by  one  of  the  following: 

Visual,  such  as  cracks,  warning  lights,  observation  of  smoke,  etc. 

Aural,  such  as  alarms,  abnormal  sounds,  etc. 

Tactile,  such  as  excessive  vibration,  electrical  shock,  stick  response,  etc. 

Olfactory,  such  as  fumes  from  electrical  systems  or  oil  or  rubber,  etc. 

Response  to  transducer  devices  such  as  those  used  for  nondestructive  inspection  of  structural  components. 

Service  difficulties  can  manifest  themselves  during  airworthiness  inspections  and  other  maintenance  related 
activities.  One  example  is  the  detection  of  a structural  fatigue  crack  in  an  area  adjacent  to  the  area  being  inspected.  The 
maintenance  program  had  no  instructions  for  inspecting  this  cracked  area.  Had  the  service  difficulty  report  not  been  filed 
on  this  crack,  and  had  a single  observant  authority  representative  not  discovered  this  difficulty  report  and  investigated  it , 
further  crack  growth  in  this  area  and  other  aircraft  might  have  occurred  and  graduated  into  something  serious. 

It  would  be  erroneous,  however,  to  draw  a correlation  between  the  number  of  service  difficulty  reports  generated 
and  risk.  A large  number  of  reports  may  mean  that  the  operational  and  maintenance  personnel  are  alert  and  diligent  in 
reporting  discrepancies,  not  necessarily  that  the  risk  of  failure  is  rising.  In  this  case,  it  may  simply  be  a tribute  to  the 
robustness  of  the  inspection  and  maintenance  program.  Only  systematic  analysis  performed  by  trained  and 
knowledgeable  analysts  can  correlate  the  risk  level  to  the  number  of  service  difficulty  reporting  rates. 

Analysis  and  Data  Requirements 

There  is  a symbiotic  relationship  between:  (a)  the  purpose  of  safety  analysis,  (b)  the  methodology  to  be  used  for 
evaluating  safety  (or  risk),  (c)  the  data  required  to  perform  safety  analysis,  (d)  the  confidence  to  be  reposed  in  the  results, 
(e)  and  the  burden  of  the  data  collection  effort.  All  five  aspects  will  have  to  be  considered  in  concert  to  devise  a robust 
system  that  balances  system  costs  (figure  3). 

Figure  3.  Elements  Associated  With  Service  Difficulty  Related  Activities 
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Safety  analysis  may  be  required  for  a variety  of  purposes.  For  instance,  to  gage  the  general  health  or  safety  of 
the  fleet  would  require  a different  methodology  and  could  be  accomplished  with  an  abbreviated  set  of  data  elements  than 
what  might  be  needed  for  a forensic  analysis  of  an  accident  or  incident.  Thus,  the  circulation  of  a questionnaire  among 
the  various  groups  involved  in  maintaining  safety  to  establish  the  connections  between  analysis  methodologies  that  are 
being  used  or  desired,  and  the  respective  data  requirements  is  advocated. 

Aircraft  systems  are  becoming  more  and  more  complex,  placing  more  sophisticated  demands  on  data  collection 
and  analysis  methods.  Also,  the  increased  attention  being  given  to  safety  and  the  accompanying  demand  for  data  driven 
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safety  programs,  makes  the  data  elements  that  would  have  been  considered  adequate  in  the  past  appear  as  lacking  in 
precision  and  detail.  Thus,  the  number  of  data  elements,  the  extent  of  detail  to  be  included  in  any  gathering  effort,  and  the 
configuration  of  the  database  itself  should  be  designed  to  allow  for  some  growth  in  data  requirements.  It  is  imperative 
that  an  organization  designing  a service  difficulty  reporting  system  that  mandates  the  collection  of  certain  data  elements 
simultaneously  considers  the  analysis  to  be  conducted  of  the  collected  data.  Many  existing  databases,  such  as  the  Service 
Difficulty  Reports  being  maintained  by  the  Federal  Aviation  Administration  have  come  in  for  criticism  [4,  5].  These 
databases  collect  many  pieces  of  data  that  are  not  used  or  are  redundant.  Such  databases  are  primarily  designed  to 
facilitate  the  collection  of  data  but  with  little  or  no  attention  being  paid  to  the  needs  of  the  analyst  to  correlate  the  data 
with  the  airworthiness  of  the  individual  aircraft  or  the  fleet.  Hence,  it  is  advocated  that  a safety  program  - any  safety 
program  - be  revisited,  perhaps  re-tuned,  every  five  years,  both  from  the  viewpoint  of  currency  and  adequacy. 

Avionics-related  malfunctions  may  have  serious  implications  in  terms  of  safety  of  new  generation  aircraft. 
These  systems  are  being  given  more  authority  over  primary  flight  control  of  the  aircraft.  Thus,  the  reporting  of  associated 
malfunctions,  defects,  and  failures  become  more  critical  to  proactive  safety  analysis.  Their  failures  during  any  phase  of 
operation  may  have  safety  implications.  In  any  event,  data  should  be  collected  to  support  explicit  program  requirements. 
Terminology  such  as  “abnormal  or  emergency  actions”  and  “endanger  the  safe  operation”  in  regulations  will  not  provide 
consistent  reporting  without  further  definition  and  guidance. 

The  distinction  between  reliability  and  safety  is  much  debated  in  the  context  of  data  requirements.  It  has  been 
argued  the  data  needed  for  performing  safety  analysis  is  not  as  extensive  as  that  for  maintaining  reliability.  However, 
with  the  emergence  of  the  nearly  synonymous  philosophies  of  Reliability-Based  Maintenance  and  Condition-Based 
Maintenance,  which  takes  the  risk  of  failure(s)  into  account,  the  distinction  is  blurring. 

Hand-held  electronic  devices  have  eliminated  much  of  the  paperwork  in  data  gathering.  Such  devices  make 
possible  the  gathering  of  voluminous  data  without  making  the  data  gathering  effort  either  burdensome  or  time  consuming. 
In  fact,  the  development  of  software  that  can  readily  depict  on  a hand-held  device  the  geometrical  layout  of  components 
as  well  as  the  inter-connectivity  of  the  functional  units  would  make  facilitate  acquisition  of  data  that  capture  more  details 
about  a malfunction  or  a failure  than  is  now  the  case.  Electronic  entry  of  data  has  another  great  advantage,  viz.,  it  avoids 
data  corruption  due  to  transcription  errors  and  expedites  the  addition  of  more  data  elements  to  the  database. 

Data  Standards 


The  term  "data  quality"  can  at  once  mean  different  things,  such  as  erroneous  data,  inconsistencies  in  the  data, 
insufficient  detail  that  has  been  captured  in  the  data,  completeness  of  the  data  sets,  etc.  Each  of  the  meanings  has  a 
bearing  on  safety.  For  instance,  there  is  a wealth  of  data  about  instances  of  cracking  in  airframe  structures  but  they  are 
not  very  useful  because  of  lack  of  precision  and  standardization.  From  the  standpoint  of  systematic  analysis  of  large 
quantities  of  data,  the  most  important  attribute  of  a safety  related  database  is  consistent  reporting.  The  adoption  of  a 
common  terminology  is  one  aspect  of  consistency.  Clarity  of  terminology  is  a related  aspect.  A critical  need  for  data  that 
is  stored  in  relational  databases  is  that  fields  should  be  assigned  in  each  data  record  (report)  to  allow  for  supplementary 
comments  by  the  mechanic.  The  FAA  maintains  one  of  the  largest  safety  database  in  the  world,  the  Service  Difficulty 
Reporting  (SDR)  System.  However,  because  the  SDR  is  a relational  database,  no  provision  has  been  made  for 
supplementary  notes.  For  instance,  the  database  does  not  allow  the  mechanic  to  record  the  specific  location  of  a crack, 
even  if  one  is  found  in  a principal  stractural  element.  As  a result,  many  users  rely  on  the  SDR  system  only  to  confirm 
critical  problems  that  have  already  been  found  or  suspected  - not  to  give  precursory  evidence  of  potential  incidents  or 
accidents. 

. Table  1 exemplifies  a form  for  data  recording,  which  would  make  possible  supplementary  notes  to  be  made  by  the 
mechanic  or  inspector.  The  form  for  reporting  incidents  was  drafted  by  an  internal  FAA  team,  of  which  the  author  was  a 
member.  The  data  requirements  for  reporting  service  difficulty  can  be  developed  in  an  analogous  fashion. 
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TABLE  1:  EXAMPLE  OF  A FORM  FOR  RECORDING  AN  INCIDENT 


BATCH  # 

I.D.# 

REV. 

DATE 

ANALYST 

REVIEWER 

0 

/ / 

1 

/ / 

2 

/ / 

3 

/ / 

EVENT  ID  NUMBER: 

TIME  OF  EVENT:  (SELECT  ONE) 

/ 

/ / 

UNKNOWN 

YY  MM  DD  SE 


UT 

LOCAL  TIME 


EVENT  CLASSIFICATION: 

HAZARDOUS 

MAJOR 

MINOR 

DAMAGE 


LOCATION: 

DEPARTURE  AIRPORT_ 
DESTINATION  AIRPORT 

EVENT  LOC.  (CITY) 

COUNTRY  (EVENT)  

LAT/LONG 

UNKNOWN 


AIRCRAFT: 

TYPE-SERIES 

A/C  MAKE 

FUSELAGE  NO. 

DATE  MANUFACTURED 

TAIL  NUMBER 

SERIAL  NUMBER 

ENGINE  MAKE 

ENGINE  MODEL(S) 

ENGINE  SERIAL  NO(S). 

FLIGHT  NUMBER 

METEOROLOGICAL/ENVIRONMENT 

IMC/VMC 

CLOUD  CEILING  FT  OR  M 

LIGHT  CONDITIONS 

DAY/NIGHT/DUSK/DAWN 

VISIBILITY  FT,  M,  MI 

WIND:  DIRECTION 

VELOCITY  IN  KTS 

TEMPERATURE  F OR  C 

MICROBURST 

CAT 

WINDSHEAR 


TYPE  OF  MISSION:  (SELECT  UP  TO  2) 
SCHEDULED  PAX  CARGO 

UNSCHEDULED  PAX  FERRY 

FLIGHT  TEST  TRAINING 

UNKNOWN 
MAINT 

AIRLINE/OPERATOR: 

OPERATOR  NAME 

OPERATOR  OAG  CODE 


VERTICAL  TURBULENCE 

HAZE 

HAIL 

BIRDS 

SNOW/SLUSH 

SAND/ASH 

THUN  STRMS 

LIGHTNING 

OTHER  WEATHER 

ICE/RAIN/FOG/GUSTS 


BOARDING 
CARGO  LOADING 
ENGINE  START 
TAXI 
TAKE  OFF 
ROLL 
ROTATION 
INIT  CLIMB 
GO  AROUND 
DURING  DIVERT 


PHASE  OF  OPERATION 
DESCENT 
APPROACH 
INITIAL 
FINAL 
LANDING 

FLARE  & TOUCHDOWN 
ROLL 

TOUCH  AND  GO 
CRUISE 


DEBOARDING 

PARKED 

REFUELING 

INSPECTION 

TOWED 

SERVICING 

UNKNOWN 

CLIMB  TO  CRUIS 

TAXI 
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HARDWARE  INVOLVED  IN  INCIDENT:  ATA  CODE 

NAME  

MODEL  

MAKE  

LOCATION 

PART  NUMBER 

TOTAL  TIME 

TIME  SINCE  O/H 

CYCLES  SINCE  O/H 
TOTAL  CYCLES 

TYPE  OF  HUMAN  MACHINE  INTERFACE  ERROR 
Suggest  that  a coded  list  be  developed  that  is  similar  to  ATA  codes 


NAT,  AVIATION  SYSTEM  INASI:  TBD 

FLIGHT  CREW  EXPERIENCE: 

CAPTAIN 

TIME  IN  TYPE  ACFT 

FIRST  OFFICER 

TIME  IN  TYPE  ACFT 

SECOND  OFFICER 
TIME  IN  TYPE  ACFT 


FLIGHT  CREW 

MAINTENANCE_ 

OPERATOR 

MANUFACTURER 

NTSB 

WAAS 


PILOT  IN  COMMAND 

TOTAL  FLYING  TIME 

TOTAL  FLYING  TIME 

TOTAL  FLYING  TIME 

DATA  SOURCES: 

ATC 

CAA 

FLTINT 

FLIGHT  SAFETY  FOUNDATION 

NEWS 

AIRCLAIMS 

OTHER 


BRIEF  DESCRIPTION: 

Describe  the  event/situation.  Keeping  in  mind  the  following  topics,  discuss  those  which  you  feel  are  relevant  and 
anything  else  you  think  is  important.  Include  what  you  believe  really  caused  the  problem,  and  what  can  be  done  to 
prevent  a recurrence,  or  correct  the  situation.  (USE  ADDITIONAL  PAGES  IF  NECESSARY) 


I.  CHAIN  OF  EVENTS 
How  the  problem  arose 
Contributing  factors 
How  was  it  discovered 
Corrective  actions  taken 
System  configurations  and 
operating  modes 
What  procedures  were  used 
How  did  you  decide  what  to  do 
What  stopped  the  incident  from 
becoming  an  accident 
Failure  in  Cockpit  Resource 
Management  Fatigue 


FULL  NARRATIVE: 


2.  HUMAN  PERFORMANCE  CONSIDERATIONS 
Perceptions,  judgements,  decisions 
Factors  affecting  the  quality  of  human  performance 
Actions  or  inactions 
Lack  of  positional  awareness 
Lack  of  awareness  of  circumstances 
of  flight 

Incorrect  selection  on  instrument/navaid 

Action  on  wrong  control/instrument 

Slow/delayed  action 

Omission  of  action/inappropriate  action 

Fatigue 

State  of  mind 

Lack  of  qualification/training/experience 
Incapacitation/medical  or  other  factors 
reducing  crew  performance 
Deliberate  non-adherence  to  procedures 


ANALYST  COMMENTS:  

Factors  Relevant  to  Incident 

(Each  incident  usually  has  more  than  one  factor) 
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A.  1 Aircraft  systems 

1.1 

1.2 

1.3 

System  failure  — affecting  controllability 
System  failure  - flight  deck  information 
System  failure  - other 

A. 2 ATC/Ground  aids 

2.1 

Incorrect  or  inadequate  instruction/advice 

2.2 

Misunderstood/missed  communication 

2.3 

Failure  to  provide  separation  - air 

2.4 

Failure  to  provide  separation  - ground 

2.5 

Ground  aid  malfunction  or  unavailability 

A. 3 Environmental 

3.1 

Structural  overload 

3.2 

Wind  shear/upset/turbulence 

3.3 

Icing 

3.4 

Wake  turbulence  - aircraft  spacing 

3.5 

Volcanic  ash/sand/precipitation  etc. 

3.6 

Birds 

3.7 

Lightning 

3.8 

Runway  condition  unknown  to  crew 

A. 4 Crew 

4.1 

Lack  of  positional  awareness  - in  air 

4.2 

Lack  of  positional  awareness  - on  ground 

4.3 

Lack  of  awareness  of  circumstances  in  flight 

4.4 

Incorrect  selection  on  instrument/navaid 

4.5 

Action  on  wrong  control/instrument 

4.6 

Slow/delayed  action 

4.7 

Omission  of  action/inappropriate  action 

4.8 

“Press-on-Us” 

4.-9 

Failure  in  CRM  (cross-check/co-ordinate) 

4.10 

Poor  professional  judgments/airmanship 

4.11 

Disorientation 

4.12 

Fatigue 

4.13 

State  of  mind 

4.14 

Interaction  with  automation 

4.15 

Fast  and/or  high  on  approach 

4.16 

Slow  and/or  low  on  approach 

4.17 

Loading  incorrect 

4.18 

Flight  handling 

4.19 

Lack  of  qualification/training/experience 

4.20  Incapacitation/medical  or  other  factors  reducing  crew 

performance 

4.21 

Failure  in  look-out 

4.22 

Deliberate  non-adherence  to  procedures 

A. 5 Engine 

5.1 

Engine  failure 

5.2 

Propeller  failure 

5.3 

Damage  due  to  non-containment 

5.4 

Fuel  contamination 

5.5 

Engine  failure  simulated 

A. 6 Fire 

6.1 

Engine  fire  or  overheat 

6.2 

Fire  due  to  aircraft  systems 

6.3 

Fire  - other  cause 

6.4 

Post  crash  fire 

A. 7 Maintenance/ 

7.1 

Failure  to  complete  due  maintenance 

ground  handling 

7.2 

Maintenance  or  repair  error/oversight/inadequacy 

7.3 

Ground  staff  strack  by  aircraft 

7.4 

Loading  error 

7.5 

SUPS  - Suspected  Unapproved  Parts 

7.6 

Unapproved  Parts 
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Group  Factor  No.  acc. 


A Causal  factors 


A. 8 Structure 

8 . 1 Corrosion/fatigue 

8.2  Overload  failure 

8.3  Flutter 

A. 9 Infrastructure 

9.1  Incorrect,  inadequate  or  misleading  information  to  crew 

9.2  Inadequate  aiiport  support 

A.  10  Design 

10.1  Design  shortcomings 

10.2  Unapproved  modification 

10.3  Manufacturing  defect 

A.  11  Performance 

11.1  Unable  to  maintain  speed/height 

1 1 .2  Aircraft  becomes  uncontrollable 

A.  12  Other 

12.1  Causedbyother  aircraft 

12.2  Non-adherence  to  cabin  safety  procedures 

B Circumstantial  factors 


B.  1 Aircraft  systems 

1 . 1 Non-fitment  of  presently  available  safety  equipment 
(GPWS,  TCAS,  windshear  warning,  etc.) 

1 .2  Failure/inadequacy  of  safety  equipment 

B.2  ATC/ground  aids 

2.1  LackofATC 

2.2  Lack  of  ground  aids 

B.3  Environmental 

3.1  Poor  visibility 

3.2  Other  weather 

3.3  Runaway  condition  (ice,  slippery,  standing  water,  etc.) 

B.4  Training 

4.1  Training  inadequate 

4.2  Presented  with  situation  beyond  training 

4.3  Failure  in  CRM  (cross-check/co-ordinate) 

B.5  Infrastructure 

5.1  Incorrect/inadequate  procedures 

5.2  Company  management  failure 

5.3  Inadequate  regulation 

5.4  Inadequate  regulatory  oversight 

C Consequences 

C.  1 Controlled  flight  Into  Terrain  (CFIT) 

C.2  Collision  with  terrain/water/obstacle 

C.3  Mid-air  collision 

C.4  Ground  collision  with  other  aircraft 

C.5  Ground  collision  with  object/obstacle 

C.6  Loss  of  control  in  flight 

C.7  Fuel  exhaustion 

C.8  Overrun 

C.9  Undershoot 

C.IO  Structural  failure 

C.ll  Post  crash  fire 

C.12  Fire/smoke  during  operation 

C.13  Emergency  evacuation  difficulties 

C.  1 4 Forced  landing  - land  or  water 

C.  1 5 Other  cause  of  fatality 


D Unknown 


Level  of  confidence  High  Medium  Low  Insufficient 

Information 


Note:  Acts  of  terrorism  and  sabotage,  test  and  military-type  operations,  and  fatalities  to  third  parties  not  caused  by  the 
aircraft  or  its  operation  are  excluded. 
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In  the  military  context,  harmonization  of  data  standards  with  our  NATO  allies  will  inevitably  result  in  more 
robust  safety  systems  for  all  concerned.  Also,  since  the  occurrences  of  many  types  of  malfunctions  are  rare, 
harmonization  will  allow  data  to  be  shared  between  nations  that  operate  similar  aircraft  systems  and  increase  the  data 
pool,  thereby  decreasing  uncertainty  inherent  in  statistics-based  analysis  schemes. 

Completeness  of  data,  whether  the  entry  relates  to  deviation,  malfunction,  or  wear  is  nearly  as  important.  The 
need  to  report  and  record  every  deviation  from  the  norm,  even  though  the  vast  majority  of  cases  are  benign,  cannot  be 
over-emphasized.  It  is  also  essential  for  the  analyst  (or  analysis  group)  to  promptly  acknowledge  receipt  of  each  report 
and,  once  the  analysis  of  a report  is  complete,  to  communicate  the  results  to  the  maintenance  group.  Otherwise,  the  latter 
group  may  lose  faith  in  the  system. 

Data  Archival  and  Retrieval 


An  efficient  database  storage  system  has  to  take  into  account  several  factors.  Simultaneous  access  to  multiple 
users  may  be  one  requirement.  Inclusion  of  pictures,  and  documents  in  the  database  may  be  another.  There  are  several 
ways  to  store  and  present  data  and  several  types  of  database  management  systems  (DBMS)  have  been  devised  and  are 
commercially  available.  In  choosing  the  right  type  of  DBMS  it  is  important  to  consider  the  capability  of  a typical  user 
and  the  purpose  underlying  the  use  of  the  data.  For  safety  analyses  purposes,  the  DBMS  should  be  capable  of  storing  and 
manipulating  complex  objects  and  data  types  efficiently.  The  most  suitable  type  and  currently  available  DBMS  are  the 
ones  known  as  object-oriented  DBMS.  Such  relational  databases  allow  for  computer-aided  searches  and  sorts  that  are 
simple  to  implement  , allowing  the  user  to  concentrate  on  deriving  the  information  he  or  she  is  seeking  rather  than 
focusing  on  the  design  of  the  database  extraction  tool.  On  the  other  hand,  if  one  is  willing  to  invest  in  more  complex 
search  engines,  the  database  may  need  to  be  less  structured  and  therefore  contain  much  more  information.  An 
explanation  of  the  various  types  of  DBMS  can  be  found  in  reference  [6].  Even  object-oriented  DBMS  have  their 
drawbacks  and,  thus,  the  entire  subject  deserves  research  attention. 

Analysis  Methods 

Service  difficulty  data  can  be  used  for  a variety  of  purposes  and  in  a variety  of  ways.  The  common  thread  that 
runs  through  all  of  them,  however,  is  risk  mitigation.  Obviously,  the  criticality  of  the  component  associated  with  the  data, 
the  number  of  incidences  of  failure,  the  consequences  of  failure,  the  method(s)  used  for  analysis,  the  confidence  band 
inherent  in  the  analysis  results,  and  the  statistical  character  of  the  occurrence  are  inextricably  related. 

Accidents  and,  to  a lesser  extent,  incidents  and  malfunctions  typically  involve  a chain  of  events.  The  chain  may 
simultaneously  involve  a design  deficiency,  a defect  induced  during  the  manufacturing  process,  improper  maintenance  or 
other  human  factors.  Some  aspects  that  are  frequently  involved  are  given  in  Table  2. 


TABLE  2:  ASPECTS  THAT  CAN  ADVERSELY  AFFECT  SAFETY 


Design 

New  Technology 
Repair 

Flight  Operations 

Software 

Regulations 

Hazardous  Cargo/Stores 


Manufacturing 
Technological  Obsolescence 
Unwitting  Exceedances 
Air  Traffic  Control 
Training 

Environmental  Rules 


Maintenance 
Human  Factors 
Configuration  Management 
Adverse  Environment 
Records 

Unapproved  Parts 


It  has  been  argued  that,  since  many  factors  are  involved  in  causing  an  incident  or  accident,  the  safety 
management  system  should  be  highly  centralized.  The  author  would  argue  in  favor  of  the  opposite,  mainly  because  the 
safety  system  would  be  redundant  and,  hence,  more  robust.  The  responsibility  for  safety  should  be  divided  into  sub- 
groups, whose  prime  responsibilities  are  related  to  maintenance  or  air  traffic  control  or  some  other  factor  identified  in  the 
table.  Each  group  should  be  persuaded  to  believe  that  they  are  ultimately  responsible  for  safety  and  each  group  should  be 
allowed  to  devise  their  own  system  for  monitoring  risk.  Of  course,  each  such  group  will  be  much  better  versed  in  their 
own  specialty  and  might  tend  to  give  greater  attention  to  it.  On  the  other  hand,  it  can  be  argued  that  they  will  tend  to  take 
less  for  granted  in  other  specialty  areas  and  therefore  subject  them  to  greater  scrutiny. 

If  the  aforementioned  view  is  accepted,  it  would  follow  that  each  group  will  have  different  data  requirements. 
The  latter  can  be  fulfilled  with  relative  ease  by  customizing  data,  but  which  is  drawn  from  the  same  master  data  pool. 
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One  example  of  an  extensive  and  well-disciplined  service  difficulty  reporting  and  collection  system,  as  has  been 
previously  mentioned,  is  that  being  maintained  by  the  FAA.  Unfortunately,  the  FAA  does  not  have  the  means  to 
systematically  analyze  the  data  reported,  which  purportedly  is  not  all-inclusive.  Instead,  it  does  so  in  an  ad-hoc  manner. 
That  is,  it  researches  the  database  to  seek  service  difficulties  that  indicate  the  pervasiveness  of  a fault  in  the  aircraft  fleet. 
Such  searches  are  carried  out  after  the  problem  has  been  brought  to  the  attention  of  the  authority  through  other  means, 
such  as  an  incident  or  an  accident.  However,  the  efforts  of  the  FAA  are  a valuable  adjunct  to  the  safety  analysis  efforts  by 
industry.  Moreover,  the  SDR  database  is  accessible  to  other  users,  such  as  aircraft  manufacturers  and  operators,  who, 
because  of  their  focus  tend  to  be  more  systematic  in  the  analysis  of  the  data. 

Causal  Analysis 

Causal  analysis  of  an  accident  or  incident  seeks  to  establish  those  factors  that  were  judged  to  be  directly 
responsible  in  causing  the  event  (primary  causal  factors)  and  those  that  contributed  to  the  event  (secondary  causal  factors) 
by  deconstructing  the  accident.  For  these  causal  factors,  a causal  chain  can  usually  be  established  for  each  accident  or 
incident  [7].  The  advantage  of  causal  chain  analysis  is  that  in  the  case  of  multiple  causes  and  multiple  accidents  or 
incidents,  the  common  events  or  elements  in  the  chain  can  be  identified  and  subjected  to  greatest  attention.  Thus,  the 
safety  system  can  concentrate  on  those  common  events  and  maximize  its  responsiveness  and  effectiveness  in  for  cutting 
down-times,  and  reducing  or  eliminating  accidents.  The  perceived  disadvantage  of  this  approach  is  that  it  is  reactive 
rather  than  proactive.  That  is,  the  regulating  authority  and  the  industry  (or  the  military  operators)  seek  to  eliminate  the 
causal  factor  after  the  accident  in  order  to  prevent  accidents  due  to  the  same  cause  from  happening  again. 

Causal  analysis  does  have  an  advantage  over  simulation  and  technical  conjecture  in  that  it  is  based  on  factual 
data  rather  than  models  that  mimic  a hypothetical  event  or  engineering  judgement,  which  relies  on  the  knowledge  base 
and  experience  of  the  technical  team.  Moreover,  as  has  already  been  mentioned,  in  today's  aviation  industry,  it  is  difficult 
to  retain  an  engineering  team  that  is  intimately  familiar  with  the  continuous  changes  in  the  aircraft  design  after  production 
begins. 


The  causal  analysis  approach,  however,  also  suffers  from  the  disadvantage  that  the  analysis  has  a good  measure 
of  subjectivity,  both  in  regard  to  the  list  of  factors  and  their  relative  contributions.  Also,  due  to  the  inter-dependencies  of 
the  various  factors,  such  as  those  listed  in  Table  2,  that  are  frequently  encountered,  the  relative  weights  ascribed  to  the 
various  causal  factors  can  vary  a great  deal,  as  a function  of  the  analyst.  Thus,  an  intimate  knowledge  of  the  aircraft 
system  is  a prerequisite  for  someone  engaging  in  causal  analysis.  The  challenge  of  managing  aircraft  safety  is  identify 
and  focus  on  truly  hazardous  conditions,  so  they  can  be  eliminated  before  a potential  accident  becomes  a reality. 

Trend  Analysis 

One  simple  and  effective  method  is  used  in  the  Aviation  Safety  for  Accident  Prevention  (ASAP)  program  that  is 
used  by  the  FAA's  Rotorcraft  Directorate  in  Ft.  Worth,  Texas.  The  program  selects  components  that  fail  by  part  numbers. 
For  each  part,  it  reviews  the  service  history  for  3,  6,  12  or  24  months  periods.  Based  on  the  counts  of  service  difficulty 
reports  involving  the  part  number,  it  predicts  trends. 

A risk  level  is  assigned  to  each  report.  ASAP  has  the  ability  to  quickly  research  whether  an  accident  had  a 
service  difficulty  history.  For  example,  responding  to  a fatal  accident  involving  the  tail  rotor  driveshaft,  the  analyst  was 
able  to  track  part  numbers,  and  identify  five  service  difficulty  reports  that  had  found  the  part  to  have  been  worn  beyond 
limits,  and  contained  cracks  or  corrosion.  Two  of  the  reports  described  the  results  of  inspection  to  be  a sheared  tail  rotor 
driveshaft.  Based  on  the  accident  and  the  supporting  trend  indicated  by  the  service  history,  the  Authority  issued  an 
Airworthiness  Directive  (AD).  A year  after  the  issuance  of  the  AD  there  were  no  more  service  difficulty  reports,  citing 
that  particular  part  was  reported.  But,  more  importantly,  the  incidence  of  sheared  rotor  drive  shafts  has  been  drastically 
reduced.  However,  ASAP  has  one  drawback:  usage  of  ASAP  is  not  yet  proactive  in  that  the  analyst  must  be  prompted 
by  an  event,  such  as  an  accident  or  incident  to  conduct  trend  analysis  on  a given  part  or  component. 

Monitoring  of  Safety  Through  Performance  Indicators 

The  FAA's  Flight  Standards  Service  has  developed  a heuristic-based  system  called  Safety  Performance  Analysis  System 
(SPAS),  primarily  for  the  benefit  of  their  corps  of  safety  inspectors.  They  started  building  the  system  by  getting  teams  of 
highly  experienced  and  proficient  inspectors  together,  with  each  inspector  identifying  the  parameters  that  he  or  she  uses 
during  surveillance  of  an  operator  or  a repair  station  facility.  Each  team  discussed  each  of  the  identified  parameters  and 
developed  a consensus  about  the  relative  importance  of  the  parameters  that  must  be  scrutinized.  Next,  the  parameters 
were  weighted  according  to  their  perceived  importance  and  aggregated  into  groups,  with  each  group  being  termed  as  an 
"indicator."  The  advantage  of  a system  that  is  based  on  indicators  is  that  pools  the  knowledge  and  experience  of  the  "gray 
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beards"  or  the  more  experienced  inspectors  in  the  regulating  Authority  for  use  by  the  younger,  less-experienced 
inspectors.  Hence,  it  focuses  attention  on  what  is  a warning  rather  than  on  events  that  are  merely  "noises."  The 
disadvantage  is  that  a rational  derivation  of  threshold  values,  which  signal  caution  or  even  danger,  is  not  possible. 

A variation  of  the  idea  of  performance  indicators  as  measures  of  safety  is  proposed  by  the  author.  It  is  based  on 
"wiring  diagrams"  of  sub-systems  being  used  in  conjunction  with  the  concept  of  indicators.  In  the  pristine  condition, 
every  cell  in  the  wiring  diagram  would  be  colored  white.  When  a failure  of  a certain  part  occurs,  the  analyst  assesses  the 
criticality  of  the  part  to  flight  safety  and  assigns  a hue  to  that  part  (cell)  in  the  wiring  diagram.  A deeper  hue  or  color 
would  signify  that  the  part  has  a relatively  high  criticality.  The  wiring  diagram  is  constantly  updated  by  adding  more 
color  to  the  particular  part  to  reflect  arrival  of  new  service  difficulty  reports.  Two  events  will  attract  the  attention  of  the 
analyst.  The  first  is  the  depth  of  the  hue  of  a certain  cell  and  the  second  is  the  contiguity  of  cells  (the  ones  that  are 
sequentially  tied  or  represent  the  redundant  feature),  in  terms  of  their  function,  that  are  hued.  The  idea  is  based  on  the 
recognition  of  the  fact  that  in  both  cases  the  risk  of  sub-system  failure  is  increasing,  and  that  the  wiring  diagram 
pictorially  represents  the  rise.  In  fact,  it  would  be  relatively  easy  to  convert  the  logic  into  a computer  code  that 
automatically  raises  a flag  in  either  case,  which  cannot  escape  the  attention  of  the  analyst.  Also,  different  colored  flags 
may  be  set  up  to  indicate  the  level  of  alert.  The  scheme  will  also  need  to  take  into  account  replacement  or  re-design  of  the 
part,  or  the  sub-assembly  itself.  That  is  also  easily  done  by  washing  out  the  color  in  the  particular  cell  representing  the 
part  or  in  the  block  of  cells  if  the  sub-assembly  has  been  redesigned  or  refurbished 

Probabilistic  Risk  Analysis 

Several  probabilistic  approaches  to  safety  have  been  proposed  [8}.  However,  such  approaches  are  not  looked 
upon  with  enthusiasm  because  no  one  wants  to  look  upon  safety  management  in  a manner  that  resembles  a game  of 
chance.  However,  there  are  at  least  two  major  advantages  of  a probabilistic  approach.  First,  it  takes  into  account  the 
variability  in  the  data  as  well  as  the  trends  in  the  number  of  occurrences.  It  also  provides  for  considering  the  relationship 
between  seemingly  unrelated  occurrences.  The  analyst  must  examine  the  estimated  probability  of  an  accident,  given  a 
high  probability  of  the  occurrence  of  service  events,  and  determine  if  intervention  is  required.  A unique  advantage  of  the 
probabilistic  approach  over  a deterministic  approach  is  that  it  enables  the  Authority  or  the  Safety  Office  in  the  military  to 
focus  on  the  most  likely  causes  of  hypothetical,  future  accidents,  and  prevent  them.  By  far  the  most  important  advantage 
is  that  it  enables  the  Authority,  and  the  operators,  to  get  ahead  of  the  power  curve  - that  is,  to  correct  the  condition  before 
the  first  accident  occurs. 

Concluding  Remarks 

As  new  technology  is  inducted,  aircraft  systems  will  inevitably  become  more  complex.  New  technology 
generally  means  better  performance  and  lower  costs  but  there  might  be  safety-related  challenges  as  well.  Also,  increased 
usage  and  operating  missions  beyond  what  was  envisaged  in  the  design  stage  will  magnify  the  accident  rate  as  well  as  the 
fatalities,  injuries,  or  losses  of  high-value  assets.  Safety  systems  will  need  to  be  more  sophisticated  and  better  methods 
of  analysis  will  need  to  be  employed.  Authorities,  and  in  the  case  of  the  military  - themselves,  will  need  to  focus  more  on 
preventing  accidents  due  to  service  related  events  rather  than  using  service  data  to  confirm  the  analysis  of  accidents  that 
have  already  happened. 

Concomitantly,  more  extensive  data  require- ments  and  data  archival  systems  will  need  to  be  engineered.  Thus, 
the  cost  of  maintaining  a high  level  of  safety  is  bound  to  rise  but  the  cost  due  to  not  having  an  effective  system  will  be 
many  times  greater.  Safety  of  highly  engineered  systems,  like  aircraft,  has  a high  price  tag  but  the  alternative  will  prove 
to  be  much,  much  more  expensive. 
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